This article tackles the question of how to securely perform dynamic linking with the PSD2 compliance in mind. There are a few options, but not all of them are equally “good”.
In our previous post we have already discussed the main points of SCA and what role dynamic linking plays in it. This time around we are going to take a more practical approach and explore different ways you can perform dynamic linking. We will take a look at 3 different methods and compare their pros and cons.
In short, dynamic linking requires an “authentication code”, which is unique to each transaction, that will be linked together with the essential information about the transaction – amount and recipient of the payment – through every step of the payment and authentication process. The payer has to be aware of both the amount and recipient when authenticating the transaction. If the authentication code or any of the essential information changes during the transaction, it will fail. Now let’s talk about different ways we can do that in practice.
There are a few ways to effectively perform dynamic linking, one of the most common options you are certainly familiar with if you ever used any kind of mobile-banking application, is the one that relies on so-called push notification.
The main point of this process is that the essential transaction data is transferred from the “financial service server” to the mobile app using an encrypted push notification message.
In practice it would work something like this:
This approach fulfills all of the dynamic linking requirements and is considerably handy.
Another practical way to implement dynamic linking would be through QR codes that are also considered quite convenient, as they do not require the user to enter any data manually during the authentication process.
Quick, compliant, and certainly simple.
As we already mentioned above, clearly there isn’t only one “right way” to conduct a dynamic linking, but some are more contested than others. A perfect example of that would be transaction authorization numbers – or simply TAN – sent by SMS. Although SMS can be enough to prove a possession and TAN can be sent together with the essential transaction details, the security of SMS messages by itself is way too low, as there are many ways they can be tampered with. This leads us back to the SCA requirement of “security measures which ensure the confidentiality, authenticity, and integrity of transaction” as stated in the Regulatory Technical Standard for PSD2, Article 5.
We sincerely hope that this article helped you navigate around the different ways dynamic linking can be performed and made this sometimes confusing topic a little bit clearer!